Entry Order - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual
Secure router
Hide thumbs
Also See for ProCurve Secure Router 7203 dl:
- Configuration manual (1114 pages) ,
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages)
Table of Contents
Advertisement
Specifying Bits in the Packets. To protect your network against attacks
and hackers scanning your network for information, you can block packets
based on certain bits set in the packet. You can specify the following bits:
ack
fin
psh
rst
syn
urg
Selecting the log Option. Include the log option if you want the Secure
Router OS to log a message when these two conditions are met:
debug access-list is enabled for this ACL
a packet matches this ACL
Enter the log-input option if you want the log to include the interface on
which the matching packet was received.
Entry Order
The order in which you add entries to an ACL is important. The Secure Router
OS processes entries one-by-one in the order in which they are listed. When
comparing a packet to an ACL that is applied directly to an interface, the
Secure Router OS first attempts to match that packet to the first entry in the
ACL. If the packet matches the first entry, the Secure Router OS stops
processing the rest of the ACL and takes the action specified in that entry. If
the packet does not match the first entry, the Secure Router OS tries to match
the packet with the second entry, then the third entry, until it finds a match.
When you are creating entries in an ACL, you should put the most specific
entries first. For example, if you want to deny a particular host but permit the
subnet on which that host resides, you should first enter the deny entry and
then the permit entry. If you enter the permit entry first, the Secure Router OS
will process that entry first, and the packet from the host will be permitted.
As mentioned earlier, each ACL contains an implicit "deny any" entry at the
end of the list of entries. (For an extended ACL, this entry is properly a "deny
ip any any" entry as it denies all packets to and from all hosts.) The any
keyword matches any IP address. If a packet does not match any entry in the
ACL, it automatically matches the "deny any" entry. In this case, the Secure
Router OS automatically denies, or blocks, that packet.
Applying Access Control to Router Interfaces
Using ACLs Alone to Configure Access Control
5-15
Advertisement
Chapters
Table of Contents
Troubleshooting
Need help?
Do you have a question about the ProCurve Secure Router 7203 dl and is the answer not in the manual?
Questions and answers